← Rules Catalog
highsystemunverified

Set GRUB bootloader password (UEFI)

grub-password-uefi · RHEL ≥ 8 · 1 impl

Description

On UEFI systems the GRUB superuser password hash must be present in /boot/efi/EFI/redhat/user.cfg (a grub.pbkdf2.sha512 entry) to prevent unauthorized boot-parameter changes or single-user access.

Rationale

Without a bootloader password an attacker with console access can edit kernel parameters or enter single-user mode to gain root.

Check → Remediate

Checkcommand
if [ ! -d /sys/firmware/efi ]; then
  echo "NOT APPLICABLE: system booted via BIOS, not UEFI"
  exit 0
fi
if grep -iqE 'grub2_password|password_pbkdf2' /boot/efi/EFI/redhat/user.cfg 2>/dev/null; then
  echo "OK: UEFI GRUB superuser password is set"
  exit 0
fi
echo "FAIL: no GRUB password in /boot/efi/EFI/redhat/user.cfg"
exit 1
expected_exit:
0
Remediatemanual
note:
Run grub2-setpassword (writes /boot/efi/EFI/redhat/user.cfg).

Framework references

STIG

V-230234 / RHEL-08-010140

NIST 800-53

AC-3
#grub#bootloader#uefi#physical-security#stig